Can you use a local path for mandatory profiles?

Question

I run the network at a small college, and we're trying to improve how we handle public lab computers.

One thing I'm considering is using mandatory profiles. As part of the design for this, I want to know if I can set the profile to be stored on the local system. We would then deploy the profile to a folder on the local C: drive of each computer as part of our imaging process. This would help reduce network latency for loading the profile, and also allow us to have a slightly different profile depending on which lab you log in to.

Will this work, or does it have to be a network share? If it has to be a network share, will \\localhost work?

Not putting this as an answer since it's a bit off your question, but have you considering using a default user profile and deep freeze? — pauska, Dec 23 '11 at 01:48
@pauska - that's what we do currently, have done it for years. Unfortunately, it just doesn't work as well anymore with Windows 7 — Joel Coel, Dec 23 '11 at 01:49
Ah, I see. Well, you should just try to configure roaming user profile for a test user against \\localhost\ and see if it works.. — pauska, Dec 23 '11 at 01:57
Yes, local PC path will work well. You can also use %SYSTEMROOT%, %USERNAME% and other environment vars. — Sergey, Dec 23 '11 at 05:38

score 5 · Answer 1 · edited Feb 23 '12 at 20:42

i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server. I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication. I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

login as a user in the Administrators group
From "User Management" create user student with password student and set:
-Password never expires
-User can not change password
Start Menu > Change User > log in as user student
Log Off
Create a new folder in C:\Users\ and give it a name like defstudprofile.v2.
Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu > Advanced > User Profiles Settings > BUTTON "Copy to ...".

IMPORTANT! Before you copy use the "Change" to allow the group "Authenticated Users" use of the new profile.

This operation overwrites the entire contents of the folder 'defstudprofile.v2' with the contents of the default profile, but allows 'Authenticated Users' to use it.
Menu "Edit Local Users and Groups" > user "student" > "Profile" - enter in the "Profile Path" box the path of the folder defstudprofile.v2 ... remembering that the folder must be specified without the .v2 extension. so the path becomes C:\Users\defstudprofile
Log Off
login again as user student
Customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked or changed
Log Off
Log back in as user student and verify that the settings are all stored.
Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.
Log in as an administrator. Go to the the C:\Users\defstudprofile.v2 profile folder and rename the ntuser.dat file to ntuser.man
Log Off
DONE! login as student and try to change some settings - disconnect and go back. The profile student is locked!

Further customizations of the mandatory profile can be done by renaming ntuser.man back to ntuser.dat to unlock the profile, and setting the file back to ntuser.man again to re-lock it.

Thanks! I was basically doing this same procedure, but would never have stumbled on what you wrote down in step 7. — Michael Steele, Jun 20 '13 at 18:50
The Copy To... button is disabled as of Windows 7 except in certain circumstances. There are tools to fake windows into re-enabling it, but they tend to just do that one part and don't address the several reasons why the button is disabled, resulting in subtly broken profiles. — Joel Coel, Nov 22 '13 at 14:42

Helge Klein · Accepted Answer · 2011-12-23T15:46:33.460

2

You can use any path that is reachable from the system when logging on. In case of a roaming profile, the user needs change permissions on the profile directory. In case of a mandatory profile read permissions are sufficient.

Advice: The creation of a new user profile involves a lot of disk activity. It might be faster if the profile template (in your case the mandatory profile stored locally) is read from the network since that reduces the IOPS the local disk has to deal with.

More information from my blog:

Articles about mandatory profiles

User Profile Design: A Primer

edited Dec 23 '11 at 15:46

answered Dec 22 '11 at 23:16

Helge Klein

2,101
1
16
22

This is a school, with classroom lab environments, where 40 people may all log in in the space of about a minute soon after class starts. In that situation, I'd rather not pull them all from the same network share. This is one reason we went away from roaming profiles. – Joel Coel Dec 23 '11 at 01:36
@JoelCoel A solution I've used for this is to Robocopy the Mandatory Profile down on machine startup and then use the local path to logon. The full profile is only copied the first time, and then just changes. I always create a logfile so I can keep an eye on how much time the copy operation is taking. I completely disagree with the second point in the answer, I'd much rather local disk activity over network activity. Where I've been asked to implement Mandatory Profiles, it's very nice to watch 40 machines logon with barely any network activity! – Dan Dec 23 '11 at 16:17
@Dan - THe downside is you logon time can go from 1 minute to 10 real quick. Typically mandatory profiles are much larger than the default profile, and copying that much data can certainly prolog the profile experience. – Jim B Dec 23 '11 at 18:18
@JoelCoel when you had problems with roaming profile performance were you also using folder redirection> – Jim B Dec 23 '11 at 18:19
I haven't seen issues with login time, but I do always tweak the profile. In my experience you can improve login time compared to roaming. – Dan Dec 24 '11 at 08:52

score 0 · Answer 3 · answered Dec 23 '11 at 03:42

0

It sounds like you could really use a product like res or appsense. Both of these products help manage mandatory profiles, on a per application, per filter basis (filter being subnet, ad site, PC name etc.) You certainly want to store the profile locally, however initial login may be slow. Another possibility is to consider multipoint server.

answered Dec 23 '11 at 03:42

Jim B

24,081
4
36
60

For the OP's benefit, RES also has a free express edition that may be useful. There's a very real implementation overhead though - it's not something you can just chuck in on a whim. – Dan Dec 23 '11 at 16:19

score -1 · Answer 4 · answered Jul 23 '14 at 20:55

-1

http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php

I have been using this technique on win7 public library computers. The only difference is instead of a network share I put the profile in the Users folder.

Hope this helps if anyone else is trying to do this.

answered Jul 23 '14 at 20:55

Library Tech

1

1

Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – EEAA Jul 23 '14 at 21:02

Can you use a local path for mandatory profiles?

4 Answers4